Darknet Traffic Analysis by Focusing on The Stability of Traffic

Main Article Content

Napaphat Vichaidis
Toui Kanai
Hiroshi Tsunoda
Glenn Mansfield Keeni

Abstract

Darknet is reachable but unused IP address space. Since legitimate hosts will generally have no reason to send packets to darknet, most of the packets seen in darknet are results of attacks, experiments or errors. Thus, darknet traffic analysis is a good candidate to understand the activities of attackers, worms, and infected hosts in the Internet. In this paper, we analyse darknet traffic by focusing on traffic stability. The concept of traffic stability is that the relative volume of dominant traffic components do not change drastically. We hypothesize that though the volume of darknet traffic is orders of magnitude smaller than Internet traffic, the stability principle holds and that the instabilities in traffic indicate the occurrence of some events in darknet. We categorize packets in darknet based on values of the fields in the packet header and calculate the volume of dominant components. We analysed two datasets of darknet traffic and found several significant instabilities. We analysed the causes of the instabilities and characteristics of the corresponding packet categories. Some of the detected events could be correlated with known and recorded network events. The analysis results show that traffic stability is a useful concept even for darknet traffic analysis.


 

Article Details

Section
Research Article

References

“JPCERT/CC Incident Handing Report,” Japan Computer Emergency Response Team Coorditional Center, JPCERT-IR-2015-04, Jul.–Sep. 2015.

A. Shimoda, T. Mori, and S. Goto, “Extended Darknet: Multi-Dimensional Internet Threat Monitoring System,” IEICE Transactions on Communications, vol. E95-B, no. 6, pp. 1915–1923, 2012.

L. Miao, W. Ding, and H. Zhu, “Extracting Internet Background Radiation from raw traffic using greynet,” in 2012 18th IEEE International Conference on Networks (ICON), 2012, pp. 370–375.

“TSUBAME Info,” Japan Computer Emergency Response Team Coordination Center, 2015.

“Quarterly Report,” Japan Computer Emergency Response Team Coordination Center, 2015.

“National Research and Development Institute of Information and Communications technology, NICT Cyber security Laboratory,” 2014. [Online]. Available: https://www. nicter. jp/nw_public/scripts/index.php#nicter.

D. Inoue, M. Eto, K. Suzuki, M. Suzuki, and K. Nakao, “DAEDALUS-VIZ: Novel Real-time 3D Visualization for Darknet Monitoring-based Alert System,” in Proceedings of the Ninth International Symposium on Visualization for Cyber Security, New York, NY, USA, 2012, pp. 72–79.

“The UCSD Network Telescope,” Center for Applied Internet Data Analysis, 2015. [Online]. Available:https:// www. caida. org/projects/network_telescope/.

Z. Zhang, B. Wang, and J. Lan, “Identifying elephant Flows in internet backbone traffic with bloom filters and LR U,” Computer Communications, vol. 61, pp. 70–78, May 2015.

“Team Cymru Darknet Project,” Team Cymru, 2014. [Online]. Available: https://www.team-cymru.org/darknet.html.

D. Moore, C. Shannon, G. M. Voelker, and S. Savage, “Network Telescopes: Technical Report,” CS2004-0795, 2004.

S. Mizoguchi, Y. Fukushima, Y. Kasahara, Y. Hori, and K. Sakurai, “Darknet Monitoring on Real-Operated Networks,” in Proceedings of the 2010 International Conference on Broadband, Wireless Computing, Communication and Applications, Washington, DC, USA, 2010, pp. 278–285.

M. Bailey, E. Cooke, F. Jahanian, and A. Myrick, “Practical Dark net Measurement,” in 40th Annual Conference on Information Sciences and Systems, 2006, pp. 1496–1501.

A. Shimoda, T. Mori, and S. Goto, “Extended Darknet: Multi-Dimensional Internet Threat Monitoring System,” IEICE Transactions on Communications, vol. 95, pp. 1915–1923, 2012.

C. Rossow, “Amplification Hell: Revisiting Network Protocols for DDoS Abuse.” NDSS Symposium, 22-Feb-2014.

“JPCERT/CC Internet Threat Monitoring Report,” Japan Computer Emergency Response Team Coordination Center, JPCERT-IA-2015-01, Dec. 2014.